from the next-time-listen-to-experts dept

Before FOSTA passed, a ton of experts warned it would lead to bad things, and now we're seeing more and more stories about how FOSTA is actually increasing the sex trafficking problem, rather than decreasing it. Police have admitted that it's now harder to catch traffickers without the information they used to get from Backpage, and pimps have apparently seized on the opportunity to make use of the disappearance of Backpage and other sites to more aggressively position themselves as the only option for sex workers.

“Without being able to advertise online,” Long said, “a huge number of sex workers were forced to go outside, and many have reported that former pimps came out of the woodwork offering to ‘manage’ their business again since they were now rendered unable to find and screen clients online.”

[...]

“The very bill that was supposed to stop trafficking has quite literally given formerly irrelevant traffickers new life,” Long said.

I'm truly curious how the various folks who stumped for FOSTA now feel about this. A bunch of Hollywood stars, including Amy Schumer, Seth Meyers, Josh Charles and Tony Shaloub, all stumped on behalf of FOSTA, making claims that were blatantly untrue. It would be nice if these celebrities could respond to all of the new evidence showing that -- just as sex workers and experts predicted -- FOSTA has made the situation much worse for sex workers, and put many of them in serious danger.

from the wherein-'thwart'-means-'standing-by-idly-while-events-take-their-cou dept

The enthusiastic republishing of the FBI's narrative does little more than rewrite the DOJ's press release. Very few have dug into the charging documents. If they had, they might not have depicted a terrorist attack that was never going to happen as somehow being "thwarted" by the arrest of a 26-year-old man reeling from the recent loss of his children in a custody battle.

According to the criminal complaint [PDF], Everitt Jameson was planning to detonate explosives at Pier 39 in San Francisco, a popular destination for tourists. The lead-up to Jameson's arrest (and supposed "thwarting") was filled with FBI informants and undercover agents, but not a single actual member of a terrorist group.

The investigation began with a paid informant passing on Jameson's Facebook activity to the FBI.

On September 19, 2017, a credible FBI Confidential Human Source (CHS) who has accurately reported to the FBI on national security matters in the past, reported a suspicious Facebook account. The Facebook persona was Everitt Aaron Jameson, vanity everittj. The Facebook id # was hidden. The CHS reported Jameson was "Liking" and "Loving" posts that were pro-ISIS and pro-terrorism. To provide an example of the types of posts Jameson was "Liking" and "Loving" during this time period, the CHS reported to the FBI that Jameson "loved" a post on November 29, 2017 that is an image of Santa Claus standing in New York with a box of dynamite. The text of the post reads, "ISIS post image of Santa with dynamite threatening attack on New York." The Propaganda poster shows Santa Claus standing on a roof next to a box of dynamite looking out over a crowd of shoppers with the words "We meet at Christmas in New York… soon." Under this post, Jameson selected the "Like" option and then selected the "Heart" option to signify that he "Loved" the post.

As we've noted before, "liking" social media posts is not the same thing as endorsing the content. Jameson may have liked the sentiments expressed, but it doesn't immediately follow he would be willing to engage in violent acts of terrorism. That's not what the FBI thought, though. Rather than monitor the account and open a preliminary investigation, the FBI decided to get involved. Undercover agents began communicating with Jameson pretending to be ISIS members. Over the next couple of months, agents frequently exchanged messages and met with Jameson, nudging him towards committing an act of terrorism.

Jameson pledged his limited utility to the cause, fulfilling the expected "material support" charges by offering use of his tow truck and his (very brief) background as a US Marine. (Jameson was discharged shortly after basic training for failing to disclose his asthma.) He also said he could kick in about $400 a month.

Jameson did state he was considering something along the lines of the San Bernardino shootings or the New York attack in which a vehicle was driven into a crowd. But the FBI was more interested in getting Jameson to build bombs. Jameson was compliant, but seemingly unable to actually acquire the supplies to build them.

UCE2 asked Jameson what assistance the UCE2 could provide. Jameson stated that he needed ammunition, powder, tubing, and nails. When asked what kind of a weapon he would need, Jameson noted that he would prefer an assault rifle. He also explained that he was trained in both the M-16 and an AK-47 rifle. Jameson also stated that he needed timers and remote detonators (presumably for the explosive charges Jameson previously described to the UCE2). Jameson said that he could get the PVC pipe, nails, and powder (presumably, black powder used for commercial explosives and ammunition).

That conversation happened on December 16th. On December 18th, no further preparation for the attack had been done by Jameson. The undercover agent tried to arrange another meeting about the attack plans, but was rebuffed by Jameson.

Later during the evening, the UCE2 contacted Jameson to discuss arranging a follow-up meeting. Jameson responded by indicating that he had been "very busy tonight." Moreover, Jameson told the UCE2, "I also don't think I can do this after all. I've reconsidered." The UCE2 stated, "We only can do Allahs will," and Jameson replied "In Sha Allah one day I can. But I can't."

Rather than keep tabs on the little terrorist that couldn't, the FBI decided to call in its markers. It acquired a search warrant for Jameson's residence one day later. The search uncovered some handguns, a rifle, 13 rounds of ammunition, and four fireworks. The feds also found his handwritten note pledging allegiance to ISIS and Jameson's will, signed and executed on November 11th.

As far as the complaint states, Jameson was never in contact with any suspected ISIS members. All discussions about a terrorist attack involved at least one FBI undercover agent. Jameson himself took himself out of play by stating he couldn't go through with the planned attack. This statement was made before supplies were gathered or a storage area obtained to assemble and store the bombs. The "terrorist" who "thwarted" his own attack sounds very much like a person looking for some sort of direction in his life after a traumatic divorce and chose exactly the wrong sort of people to identify with. That his closest contacts during this period were FBI agents interested in securing a terrorism bust does little to further the narrative of ticking terrorist time bomb disarmed at the last minute by heroic G-men.

One wonders how many discussions about attacking America Jameson would have engaged in if simply left alone. Or if he would have come up with plans to blow up part of San Francisco if he hadn't found supposedly like-minded ISIS supporters to talk to. It's impossible to say Jameson never would have engaged in violence, but the criminal complaint shows Jameson did nothing more than click Facebook buttons before the FBI got involved. And for that, he's probably going to go to prison for a long time. It seems Jameson would have benefited from a few more positive role models. But steering confused and depressed people away from sympathizing with ISIS doesn't make headlines. And it certainly doesn't help keep the lights on at the FBI.

from the breaking-the-duopoly-logjam dept

It probably goes without saying that while improving in spots, American broadband isn't much to write home about. Americans pay more money for slower service and worse customer support than a long list of developed countries. Some of that's thanks to geography, but more of it's due to a lack of competition. That lack of competition is, by proxy, thanks to our refusal to address the stranglehold these giant companies have over our federal and state regulators and lawmakers. Instead of fixing this problem, current regulators seem more interested in weakening deployment definitions to help industry pretend the problem doesn't exist.

In a growing number of towns and cities, residents have increasingly pushed to either build their own broadband networks, or strike public/private partnerships to help improve service quality and availability. Instead of trying to make these efforts irrelevant by offering better service at lower rates, incumbent ISPs have focused on paying often clueless lawmakers to help pass protectionist bills restricting what locals can and can't do with their own local infrastructure and taxpayer dollars. More than twenty states have now passed laws to this effect quite literally written by ISP lobbyists.

Both San Francisco and Seattle have considered building their own broadband networks in a quest to end this duopoly logjam. In Seattle, Mayoral Candidate Cary Moon is promising to build a citywide fiber network if elected, something lobbying spending indicates is making regional ISPs Comcast and CenturyLink nervous. And in San Francisco, the city is now promising to build the biggest municipal broadband network yet, with a new report (pdf) indicating the cost to connect every home and business in the city would be somewhere around $1.9 billion.

Unlike some projects where the city owns both the network and the service provided on top, San Francisco's model would be open access -- meaning any ISP -- small or large -- would be invited in to compete:

"Our approach is to create as much market competition as possible at both the dark fiber and lit services layers. In this approach, the City’s concessionaires would not enter the internet business, but rather would enable robust private sector competition."

Back in 2009, an FCC study found that such open access models result in more competition and lower rates (pdf). But, overly-influenced by large ISPs terrified of competition, the FCC promptly put the study in a drawer and forgot about it. Isolated municipal broadband deployments still sometimes embrace the idea, however. Like in Ammon, Idaho, where the municipal network there lets consumers switch between multiple ISPs in a matter of seconds if they're dissatisfied with their carrier. Open access was the model Google Fiber originally promised it would pursue with its own gigabit fiber build before promptly backpedaling.

Over at Wired, Harvard Law Professor Susan Crawford argues that the open access model provides a good balance to ISP worries that the government itself would somehow be a competitor incentivized to disadvantage private sector companies:

The city would not be in the business of competing with existing providers in this model, but would, instead, be providing basic infrastructure that any company could use—the connectivity equivalent of a city street grid. The cost to the public of borrowing the money to build this basic network—estimated at about $1.5 billion by CTC—would be significantly lowered by leasing revenue from advance arrangements with operators. The city would subsidize low-income residents wishing to subscribe for fiber services from those private operators. CTC sets forth a detailed timeline for getting all of this done.

What’s great about this suggestion is that it removes any political argument that the city is somehow undermining the private market for internet access services. At the same time, a dark fiber public-private partnership would dramatically lower the cost for the private market to do what it does best: directly serve customers in a competitive environment that, on its own, produces low costs and innovation.

Over the years big ISPs and their policy armies have worked tirelessly to demonize municipal broadband as inevitable taxpayer disasters. But again, municipal broadband isn't a panacea; like any business plan it depends on the proposal and implementation. But neither is municipal broadband an automatic boondoggle, and those that adhere to this over-simplistic absolutist thinking often like to ignore a few things.

Like the fact that many of these networks struggle or fail because they're immediately met with either lawsuits or massive disinformation efforts bankrolled by ISPs, designed to kill many of these efforts before they've even gotten their footing. Also ignored is the fact that taxpayers have already spent billions upon billions on incumbent ISPs that consistently engage in outright fraud and waste, leaving citizens on the financial hook for fiber upgrades promised but never deployed. Most ignored however is the fact that these towns and cities wouldn't be considering such drastic measures if they were happy with existing broadband services.

Again, none of this is to say municipal broadband is a silver bullet, either. But it should be clear to anybody that has spent more than ten seconds dealing with Comcast or their local telco that the industry is broken, and it's going to take some creativity to fix it. And whether to build and run a local broadband network should be left up to local residents, not ISP lobbyists and policy wonks, living half a world away, whose entire goal is simply to keep the dysfunctional but hugely profitable status quo intact.

from the if-you-build-it-they-will-come dept

Despite being considered one of the technology capitals of the country, San Francisco and the Bay Area continue to suffer from a lack of broadband options -- just like the rest of us sorry sods. If they're lucky, most locals there still only have the option of one of two large ISPs: AT&T and Comcast. Both companies have a long, proud history of fighting competition tooth and nail, often by quite literally writing shitty state telecom law that ensures the status quo remains intact. Attempts to break through this logjam and bring faster, better broadband service to the city have seen decidedly mixed results.

Like most areas, ultra-fast next-generation broadband in particular is notably lacking. Some estimates suggest that just 2.6% of San Francisco residents have access to gigabit broadband service. Sonic CEO Dane Jasper, whose company is also busy deploying gigabit services to the Bay Area, tells me he believes those figures are stale and gigabit penetration rates in the city are closer to 17%. And while Google Fiber had tinkered with the idea of bringing fiber to the city, the company's pivot to wireless has left that added avenue of competition up in the air.

Last week, numerous Mayors and city officials in California and Arizona penned a letter to AT&T CEO Randall Stephenson, complaining that not only is AT&T not upgrading many DSL customers to fiber, they're not adequately maintaining existing copper (now that AT&T's primary focus appears to be media, and acquiring Time Warner):

"All too many Californians and Nevadans have waited far too long for AT&T to build the high-speed broadband infrastructure promised to them," the officials said in a letter to AT&T CEO Randall Stephenson. "Not only is AT&T failing to provide access to 21st-century high-speed connections to many communities, but it is also not maintaining the copper lines that are vital to landline phone access, 911 and emergency services and basic Internet service."

For most of the last fifteen years, bubbling under the surface of this dysfunction, a growing number of cities have decided to bypass broadband's duopoly and just build next-generation, citywide broadband networks from scratch. That effort received renewed attention this week in San Francisco when the city announced it was convening a panel of "business, privacy and academic experts" to debate and discuss just what such a network would look like. On that panel will be Harvard Law School Professor Susan Crawford, who has been consistently at the forefront of criticizing this country's broken broadband market.

The panel has been tasked with how best to build a network capable of delivering gigabit speeds at more reasonable prices:

In the coming months, the San Francisco Municipal Fiber Blue Ribbon Panel will conduct research and provide recommendations on the most efficient and effective ways to blanket the city with broadband, an effort that could cost up to $1 billion.

If it becomes reality, San Francisco would be the largest city in the country to implement citywide high-speed Internet. City officials are currently targeting speeds of 1 gigabit per second. The average Internet speed in the U.S. is 31 megabits per second according to the most recent data published by the Federal Communications Commission, so this could be about 30 times faster.

The problem is convincing people to pay for it. Seattle has spent the better part of the last fifteen years pondering its own network after being historically disappointed by ISPs like Comcast and CenturyLink. But locals have consistently shied away from funding such a massive project -- especially given the city's current focus on shoring up mass transit ahead of an ongoing population boom. Incumbent ISP lobbying also consistently tangles these efforts with disinformation and legal shenanigans, usually adding additional costs as the cities have to deal with lawsuits and other pay-to-play regulatory headaches.

We've long noted how while municipal broadband is often demonized, it's a perfectly organic reaction to market failure -- and if companies truly want to keep towns and cities from getting into the broadband business, the solution should be fairly obvious: provide better, cheaper broadband.

The San Francisco Police Department (SFPD) has worked with the FBI on a Joint Terrorism Task Force (JTTF) since 2007, with the purpose of investigating terrorism threats, collecting intel, and making arrests.

Generally speaking, federal partnerships are forever… especially in Forever Wars. Local law enforcement agencies have been working side-by-side with federal agencies since the Drug War began. The same goes for the War on Terror. Wars keep government agencies in good health, awash in perpetual funding and repurposed military gear. Local governments are seldom interested in ending these lucrative arrangements, whether or not the underlying activity is productive.

The other part is implied. By telling the feds to beat it, the SFPD is suggesting the FBI isn't doing much to acutally make San Francisco safer. The Joint Terrorism Task Force seems to be more about expanding surveillance and obtaining perpetual funding than preventing terrorist attacks or uncovering their conspiracies.

This much can be ascertained by the FBI's counter-terrorism efforts to date. For the most part, the FBI's terrorism busts have relied heavily on FBI informants being the brains, muscle, and wallet behind supposed future acts of terrorism. Undercover agents have pushed some of the weakest humans in the nation towards acts of violence -- acts which would likely never have materialized on their own. The FBI has poked and prodded easily-influenced people -- some elderly, some with mental problems -- into professing their support for [Current Top Terrorist Organization], helped them plan trips to [Top Terrorist-Associated Foreign Country], and purchased everything from duct tape to latex gloves to weapons for would-be terrorists that seemingly would have difficulty opening a savings account, much less coordinating an act of terrorism.

The SFPD feels it will be fine without the FBI's dubious assistance, which appears to be mostly limited to trampling civil liberties and ever-expanding surveillance with minimal oversight. The city can apparently handle the terrorism threat without federal intervention -- suggesting it's not much of a threat… and the FBI isn't much of a counter-terrorism agency.

What the city's rejection says about President Trump's orders and directives is pretty damning. What it says about the FBI and its counter-terrorism efforts is even worse.

from the policy-fight! dept

In highly regulated private industries the law means what it says – right up until a regulator decides that it doesn't. For that reason Uber, a company with a reputation for aggressively challenging legal norms, must have been particularly frustrated when the California Department of Motor Vehicles decided to publicly rebuke it for complying with the law of the Golden State.

The crux of the issue is that Uber decided to move forward with deploying some of its vehicles with automated technologies onto California's roads without a permit which, the California DMV believes, it must first obtain before rolling out.

In a statement, the DMV said that it has a "permitting process in place" through which twenty manufacturers have obtained permits. Then, so as to leave no double about its position on the matter, stated that "Uber shall do the same."

Now, whether the new Volvo XC90's equipped with Uber's technologies are "autonomous vehicles" as a matter of perception or regulatory projection is up for debate. Different people have different ideas about what fits that mold. But, when it comes to whether the DMV should take action to slow Uber's work, the question turns from one of perception to one of law and textual interpretation.

California, by way of the DMV, has chosen to define an autonomous vehicle in regulation as a vehicle equipped with technology "...that has the capability of operating or driving the vehicle without the active physical control or monitoring of a natural person...." Thus, the factual question that confronted Uber before it made its decision to deploy the vehicles in California was simple: "is this vehicle capable of driving without being monitored or controlled by a driver?"

For all of their impressive capabilities, it is a matter of public record that Uber's vehicles often require human intervention. By extension, those vehicles require constant monitoring by a human driver. On that basis, Uber likely thought that, while not toeing the industry line, its vehicles do not meet the definitional threshold necessary to trigger the state's autonomous vehicle testing regulations.

Of course, what regulatory history there is that points to a different intent, one that tracks with the DMV's argument, is no doubt informative and interesting as a matter of historical record, but it should not overcome the obvious strictures of the regulation as written.

In the meantime, the DMV has sent Uber a cease and desist letter. While the merits of regulation are often a matter of debate, the even application of the plain language of the law should not be. Unfortunately, it appears that Uber, by dint of its reputation, is facing unwanted "special treatment" by its regulator. Worse, the DMV may be expanding the reach of its regulations after the fact. If that's the case, and certainty is lost, so too will be the very definitional purpose of the DMV's regulations – to make regular.

from the pwned dept

We've noted consistently how the medical industry has become a hotbed of ransomware attacks thanks to too many incompetent IT administrators, and too many hardware vendors for which security is a fleeting afterthought. In fact, hospitals are now seeing more than 20 ransomware attacks a day; attacks that in many instances have forced the cancellation of scheduled surgeries and wreaked havoc on the day-to-day operations of many in the healthcare sector.

But security incompetence isn't restricted just to the healthcare industry. Last week, the San Francisco mass transit system learned this the hard way when hackers effectively took over transit systems used by the San Francisco Municipal Transit Agency, infecting them with ransomware and refusing to return control unless the city was willing to pay $73,000 in bitcoin. The hack hasn't just disabled the city's transit systems, but apparently has crippled the SF MTA's payroll systems, email servers, Quickbooks, NextBus operations, various MySQL database servers, and staff training and personal computers for hundreds of employees.

All told, it's believed that hackers compromised about 2,112 of the 8,656 computers attached to the SF MTA's network. As a result, the city had to simply unlock all turnstiles and let riders ride the system for free as it tried to climb out from underneath the mess:

Like most ransomware attacks, the SF MTA is being told to make a payment to an anonymous bitcoin wallet if they want the key to decrypt compromised data on its hard drives:

"if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server's HDD!!
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it's Fast way!"

from the well,-that's-a-problem dept

Earlier this year, we noted that a bunch of cities were looking to make Airbnb liable for residents in those cities using the platform without following certain city rules. As we noted at the time, this seemed to pretty clearly violate Section 230 of the CDA, which says that platforms cannot be liable for the actions of their users. San Francisco went ahead with such a law anyway, even though it tried to rework it at the last minute to deal with Airbnb's points on why it was illegal. The case ended up in court either way -- and unfortunately, the initial ruling has sided with San Francisco over Airbnb.

Now, I know that for a variety of reasons, there are people who just flat out hate Airbnb and think that it's somehow bad or problematic for cities or rental prices or whatever. I don't think the data supports this, but either way, you should be concerned about the results here. This isn't about whether or not Airbnb is "good" or "bad" for cities. It's about a fundamental principle on which the internet operates -- which has allowed the internet to grow and to thrive, and which has protected free speech on the internet, by not making platforms magically liable for what users say or do. But the court here basically doesn't care about all of that.

The judge tries to carefully parse things out to argue that under this law, Airbnb isn't liable for its users' actions, but its own:

As the text and plain meaning of the Ordinance demonstrate, it in no way treats plaintiffs as the publishers or speakers of the rental listings provided by hosts. It does not regulate what can or cannot be said or posted in the listings. It creates no obligation on plaintiffs’ part to monitor, edit, withdraw or block the content supplied by hosts. To the contrary, as San Francisco has emphasized in its briefs and at oral argument, plaintiffs are perfectly free to publish any listing they get from a host and to collect fees for doing so -- whether the unit is lawfully registered or not -- without threat of prosecution or penalty under the Ordinance.... The Ordinance holds plaintiffs liable only for their own conduct, namely for providing, and collecting a fee for, Booking Services in connection with an unregistered unit.

But that misunderstands both the nature of the platform and the nature of Section 230. First of all, the law absolutely creates an obligation on Airbnb to monitor, withdraw or block the content supplied by hosts -- because if they do not, then they will face significant liability. The idea that it's only targeting Airbnb's "conduct" of booking an unregistered unit is simply incorrect. The platform allows anyone to put up any unit. Not Airbnb. Not only does this new regulation falsely attribute to Airbnb the actions of its users, this judge does too. That's a problem.

We've written a lot about Section 230 over the years, and unfortunately in the last few months a bunch of cases have chipped away at these important protections. In each case, the courts seem to think that the situation in front of them is somehow unique and Section 230 shouldn't apply. Considering how important Section 230 has been to the internet as a whole and the protection of free speech, we should be very, very concerned about so many of these cases picking apart the law and adding serious liability. It won't end well. Hopefully Airbnb appeals this... and the 9th Circuit doesn't muck it up.

from the section-230 dept

Back in May, we noted that large cities around the country were rushing to put in place anti-Airbnb laws designed to protect large hotel companies. In that post, we noted that many of the bills almost certainly violated Section 230 of the CDA by making the platform provider, Airbnb, liable for users failing to "register" with the city. Section 230, again, says that a platform cannot be held liable for the actions (or inactions) of its users. San Francisco was the first city to get this kind of legislation pushed through. And while the city's legislators insisted that Section 230 didn't apply, they're now going to have to test that theory in court. Airbnb has asked a court for a preliminary injunction blocking the law, based mainly on Section 230, but also mentioning the Stored Communications Act and tossing in a First Amendment argument just in case.

As designed and drafted by the Board of Supervisors, the Ordinance directly conflicts with,
and is preempted by, Section 230 of the Communications Decency Act, 47 U.S.C. § 230 (the
“CDA”). According to its own sponsors, the law holds “hosting platforms accountable for the
hundreds of units (rented by) unscrupulous individuals” posting listings on their websites, and holds
“Airbnb Accountable for Listing Illegal Short Term Rentals.” Declaration of Jonathan H. Blavin
(“Blavin Decl.”)... As such, the Ordinance unquestionably
treats online platforms like Airbnb as the publisher or speaker of third-party content and is
completely preempted by the CDA. In addition, the law violates the Stored Communications Act,
18 U.S.C. §§ 2701 et seq. (the “SCA”), by requiring disclosure to the City of customer information
without any legal process, and the First Amendment as an impermissible content-based regulation.

As Airbnb points out, the city even recognized that the bill probably runs afoul of Section 230, but signed it into law anyway:

The City was not blind to the fact that the Ordinance might run afoul of the CDA and other
laws. Following its passage, the Mayor’s office said that the “mayor remains concerned that this
law will not withstand a near-certain legal challenge and will in practice do nothing to aid the city’s
registration and enforcement of our short-term rental laws.” ... The City
Attorney’s Office acknowledged that the Ordinance could raise “issues under the Communications
Decency Act” but claimed that it had been drafted “in a way that minimizes” those issues by
regulating “business activities” instead of “content.” ... Despite the City’s
best efforts to tiptoe around the CDA through such semantic devices, the problem for the City is
that the substance of what the Ordinance seeks to do violates the CDA. No amount of creative
drafting can change that reality.

The Stored Communications Act argument involves the requirements of Airbnb to turn over information on its users. The SCA is a part of ECPA, the Electronic Communications Privacy Act, that is supposed to protect the privacy of electronic communications (though, it's in deep need of an update). Here, Airbnb points out that the city ordering it to release customer information almost certainly violates the SCA.

The verification provisions of the Ordinance separately are barred by the SCA. In a futile
effort to sidestep the CDA, the Ordinance requires Hosting Platforms to verify listings by disclosing
to the City host names and addresses “prior to posting” a listing—and without a subpoena.... But in this failed endeavor to avoid Section
230, the Ordinance runs smack into the SCA, which bars state laws that compel online services like
Airbnb to release customer information to governmental entities without legal process.

The First Amendment argument is basically a backstop in case the CDA and SCA arguments fail, and then there's a Constitutional argument to appeal. If the court deals with the case on CDA and SCA grounds, it probably will avoid the First Amendment question altogether. But, the basis is that regulating types of advertisements on Airbnb's platform is a form of a content-based restriction on speech. And there is a strong argument that in restricting the content on the platform, rather than merely punishing the people who post their content to Airbnb, that the law violates the First Amendment. There are exceptions but, generally speaking, the First Amendment doesn't like any law that blocks out speech entirely, even if it's commercial speech.

The Ordinance also violates Hosting Platforms’ First Amendment rights. The prohibition on
the publication of certain rental advertisements—i.e., those listings without verified registration
numbers—is a content-based speech restriction subject to “heightened judicial scrutiny” under the
First Amendment.... The City cannot meet its
burden of demonstrating that this speech restriction directly advances a substantial state interest and
does so in a narrowly tailored way. Even assuming the Ordinance actually advances a substantial
state interest (which is questionable), it places a far greater burden on speech than is necessary to
achieve that end. The “normal method of deterring unlawful conduct” is to punish the conduct,
rather than prohibit speech or advertising regarding it.... The City cannot show that the obvious alternative of enforcing its existing laws against third-party residents who rent properties in violation of the law, rather than against Hosting
Platforms, would be ineffective or inadequate. Just the opposite: it is clear the City could enforce
its laws directly against hosts who violate them—as it already has begun to do with increasing
effectiveness and success—rather than indirectly against Hosting Platforms that publish listings.
Further, the law is unconstitutionally overbroad as it punishes platforms for publishing any listing
without complying with its “verification” procedures—including those listings that may be lawful.

Whatever you think of Airbnb (and people seem to get more emotional about it than seems reasonable...), this lawsuit could become quite important in making sure that Section 230 remains strong in protecting internet services providing useful services to individuals. In the past month or so, we've seen a number of questionable Section 230 rulings (especially in California) that have started to chip away at this law. However, I don't see how any of those rulings directly apply to this case. The most direct comparison is probably the Model Mayhem case but, in that case, the court was clear that it allowed the California law requiring the platform to "warn" users to stand in part because it did not require the platform "to remove any user content or otherwise affect how it publishes or monitors such content." That's clearly not the case with this Airbnb law.

Either way, this is a case worth following, and hopefully one where the courts don't lop off another chunk of Section 230's protections (or, for that matter, the SCA's privacy protections).

Separately, there's a very, very bizarre NY Times article about this, falsely claiming that Airbnb is suing over a law it helped pass. That's just wrong. It's really bad reporting. Airbnb is clearly suing over the new language voted in by the SF Board of Supervisors earlier this month, and not the broader law that passed a few years ago.

from the bad-ideas dept

Fights over tech policy are going increasingly local. Most technology regulations have been federal issues. There have been a few attempts to regulate on the state level -- including Pennsylvania's ridiculous attempt to demand ISPs filter out porn in the early 2000s. But state legislators and Attorneys General eventually learned (the hard way) that federal law -- specifically CDA 230 -- prevents any laws that look to hold internet platforms liable for the actions of their users. This is why state Attorneys General hate Section 230, but they need to deal with it, because it's the law.

It's looking like various cities are now about to go through the same "education" process that the states went through in the last decade. With the rise of "local" services like Uber and Airbnb, city by city regulation is becoming a very, very big deal. And it seems that a bunch of big cities are rapidly pushing anti-Airbnb bills that almost certainly violate Section 230 and possibly other federal laws as well. In particular, San Francisco, Los Angeles and Chicago are all pushing laws to further regulate platforms for short term housing rentals (and yes, the SF effort comes just months after another shortsighted attempt to limit Airbnb failed).

The bills basically look to force people who want to use platforms like Airbnb to register, but then look to hold the platforms liable if a renter does not include the registration info in their profile. Gautam Hans does a nice job in the link above outlining why San Francisco's proposed bill -- which will be voted on shortly -- clearly would fail to survive a Section 230 challenge:

This imposition of liability clearly goes against Section 230, which states in (c)(1) that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider” — meaning that, if an information content provider, typically an individual user, posts something illegal, the interactive computer service, typically a website, can’t be held liable for it. Moreover, under (e)(3), “no liability may be imposed under any State or local law that is inconsistent with this section.” States and localities can pass laws that are consistent with Section 230, but anything inconsistent with Section 230 — like the imposition of liability on a website operator for user-generated content — is unlawful. From a logistical perspective, this makes a great deal of sense. If states and cities could enact a variety of conflicting laws, the whole point of Section 230 would be undermined. As a global medium, the internet wouldn’t work if it were subject to piecemeal regulations by every state and city within the US.

Hans also points out that the Chicago proposal (which is ~50 pages!) is equally bad:

The other recent proposal, from Chicago, creates similar issues by holding platforms liable for user content. Like the San Francisco proposal, it uses fines as the leverage to require platforms to ensure that listings on a platform have been approved by the city. And, as with the San Francisco proposal, the architecture of the liability structure runs afoul of Section 230’s preemption clause. The problematic language in this legislation, Section 4-13-250, states “It shall be unlawful for any licensee … to list, or permit to be listed, on its platform any short term residential rental that the commissioner has determined is ineligible for listing”; the penalty for violations, in Section 4-13-410, is “a fine of not less than $1,500.00 nor more than $3,000.00 for each offense. Each day that a violation continues shall constitute a separate and distinct offense.” This essentially creates a strict liability regime for website operators based on third-party content: if a user uploads a non-compliant rental listing, the site operator would immediately be in violation of this provision, regardless of whether they were aware of the posting or its ineligible status. No matter what the amount the potential fine is, this imposition of liability clearly contravenes Section 230.

Hans doesn't cover the LA law, but it's just as problematic (potentially more problematic!). Like the SF and Chicago bills, the focus is on requiring registration, and then puts liability on the platforms:

Hosting Platform Requirements.

(1) Actively prevent, remove and cancel any illegal listings and bookings of short term
rentals including where a listing has been offered: without a Home-Sharing
registration number; by a Host who has more than one listing in the City of Los
Angeles; or, for a rental unit that exceeds 90 days in a calendar year.

Yes, sure, cities are concerned about how Airbnb can impact the way cities are run -- though over and over again we've seen evidence that Airbnb can be super helpful to cities in terms of increasing tourism and opening up new ways for people to earn money. But, if cities want to target questionable practices, they should do so by targeting the actual questionable practices, not by trying to skip around Section 230 and pretending it doesn't exist. I'm sure, as with the state AGs, we may hear city officials whine about how terrible Section 230 is and how it gets in the way of them "protecting citizens" or whatever they're going to claim, but those claims are silly. Section 230 is about properly targeting liability. When you point the liability in the wrong direction -- at platforms -- you reduce innovation and chill useful services. As Hans notes:

Enforcing the laws of a city or state is an important goal, especially when those laws are designed for compliance, safety, and non-discrimination. Yet it is equally important to ensure that the internet remains an open platform for innovation and exchange, which requires ensuring that intermediaries are not held legally responsible for content they did not author. In enacting Section 230, Congress ensured that this value would be the law of the land, and it is important that cities and states abide by superseding federal law.

One would hope that the cities in question would recognize the legal problems with their own bills before they decide to move forward on any of them. Otherwise, they're just going to end up wasting a ton of taxpayer money when someone takes these to court, and the cities inevitably lose, just as the states did a few years ago.